Commentaires 0

Retranscription du document

Static Measurements and Moving Targets:

Privacy, Biometrics and the Consumer-Bank Relationship

By Dan Fingerman

January 2003

I. Introduction

Page1

I. Introduction

It has become cliché to fret over the erosion of privacy in modern life. However, whilehigh-tech peeping toms and businesses selling personal information engender a vague fear inmany people, few can articulate precisely the nature of their discomfort.1

Two basicphilosophical approaches underlie modern notions of privacy: "personal" privacy or "intrusionupon seclusion" (the peeping tom) and "public" or "informational" privacy (information selling).One modern technology—

biometrics—

threatens privacy from both perspectives, which makesthe nature of privacy discomfort difficult to articulate. Biometrics refers

to the measurement ofbodily features for the purpose of identifying individuals. For many people, the intimatemeasurement required for biometrics evokes the same visceral "yuck factor" as a peeping tom.2

At the same time, the specter of strangers misusing biometric data imperils the sphere of personalinformation which we feel entitled to control. Some may feel betrayed simply because suchtechnologies are being widely deployed without their knowledge. These objections to biometricsseem to emerge from Americans' checkered history in addressing the moral and ethicalimplications of emerging technologies. Although most of the biological knowledge underlyingbiometrics has existed for over a century, only the recent advent of secondary, enablingtechnologies has made biometric programs practical.3

Small and fast computer processors, high-capacity storage media, and robust communications facilities have made biometric applications apractical option for many businesses

and governments. The relatively sudden rise of biometricprograms has caught most people off guard.

Simon Garfinkel,Database Nation: The Death of Privacy in the 21st Century

(2000), 40

("Garfinkel")

I. Introduction

Page2

The public and private sectors have embraced biometrics with equal enthusiasm. In thepublic sector, all levels of government feel biometrics' lure. Even agencies charged with suchmundane tasks as administering public welfare rolls are using biometrics.4

While the potentialbenefits of biometrics in law enforcement and national security are obvious, the benefits inwelfare administration are much less so. John Woodward explains:

For government agencies in the United States constantly encouraged to'do morewith less,'

For example, the Los Angeles County Department of PublicSocial Services reported that finger imaging of welfare recipients in a pilotprogram reduced fraud by over $14 million and resulted in the termination of over3,000 previously-approved entitlement cases overa three year period.

Thesavings more than paid for the $9.6 million cost of implementing biometrictechnology.

Recognizing this and similar positive applications, the U.S. SecretService and the[federal]General Accounting Office (GAO) gave biometricsaqualified endorsement as a viable means to deter fraud in governmententitlements distributed electronically, known as electronic benefits transfer.5

In the private sector, the banking industry has been most receptive to biometrics andconducted some ofthe earliest feasibility tests.6

In Japan, consumer banks have employedbiometrics in their automated teller machine (ATM) networks since 1996.7

In the United States,several major banks have biometric programs in various stages of development and testing.Citicorp, Bank of America, Mellon Bank, Bankers Trust, and Chevy Chase Savings and Loan

4

Dana Milbank, Measuring and Cataloguing Body Parts May Help to Weed Out Welfare Cheats, Wall St. J., Dec. 4,1995, at B1

("Milbank")

5

John D. Woodward,Biometric Scanning, Law & Policy: Identifying the Concerns—

conductedtests of voice recognition and fingerprint scanning and found "that 95% of

consumers would

[consent to]

voice recognition and 80% would use fingerprinting."9

Bank United has field-testediris scanners in its ATMs and received positive feedback from its customers.10

At least oneemployee credit union has gone beyond mere testing

and deployed finger scanners in its ATMnetwork.11

Even consumers without bank accounts are using biometric equipment in "rapid pay"machines, which permit people without checking accounts to cash checks.12

Some biometric technologies are familiar, while others remain exotic. Police have usedfingerprints for over a century, butMission Impossible

thrilled moviegoers in 1996 when EthanHunt, played by Tom Cruise, gained access to a secure vault by forging a retinal scan."Although for many years biometrics has been widely featured in movies and high-endgovernment and corporate applications, it is only in the past year that the technology has caughtup to the hype."13

Anticipating an imminent explosion of demand for biometrics amonggovernments, banks, and

others, a growing cadre of technology companies is jockeying forposition to sell biometric hardware and software. Their marketing literature emphasizes the lowcost and versatility of biometric programs relative to traditional security measures.14

consumer-grade fingerprint sensorsnow retail for less than $70 per unit15

—

biometric programs will only expand.

These entities are pressing biometrics without due consideration to the moral and ethicalimplications of the technology—

let alone a general public consensus as to biometrics' usageand, if necessary, regulation. This paper addresses issues created by this void. Part II introducesseveral specific biometric technologies and explains howthey work. Part III outlines thehistorical perspective through which we should view biometrics. Part IV summarizes the law ofprivacy with a particular emphasis on the law applying to banks that serve consumers. Finally,part V analyzes the intersection of consumer banking, biometrics, and privacy and offerssuggestions for regulating the use of biometrics.

II. Biometric Technology

Part II of this paper describes biometric technology insofar as the technology is relevantto privacy policy.16

First, it describes the four most commonly usedbiometric

indicia andexplains the advantages and shortcomings of each. Second, it introduces the two majorbiometric applications and gives examples of programs in each category. Third, it describes thecapture, storage, and use of biometric data and introduces several specific privacy problems.

15

Bjorn, 701 PLI/Pat at 108

16

The intended audience for this paper is the legal and policymaking communities, so it does not reach all thetechnical detail of biometrics. For a more technical approach to biometrics,see the references cited herein andreferences collected in the web sites of the Biometric Consortium, <http://www.biometrics.org/>, and theInternational Biometric Group, <http://www.ibgweb.com/>.

II. Biometric Technology

Page5

A. Biometric Indicia

The International Biometric Group defines biometrics as "the automated use ofphysiological or behavioral characteristics to determine or verify identity."17

Biometrics entailsmeasurement of a bodily characteristic but not the removal of tissue.18

While we can identifyindividuals from substances present in tissues and secretions, such as deoxyribonucleicacid

(DNA), these are not biometric identifiers because they require collection of tissue and cannotyield results in realtime.19

The two major classes of biometric identifiers are primary(physiological) and secondary (behavioral) indicia.20

Primary identifiers are physical traitsnot

separable from the body—

such as fingerprints, handprints, faceprints, irises, retinas.21

Severalprimary identifiers comprise non-unique elements that become unique to an individual onlywhen considered in combination with other elements.22

Non-unique traits serve as a reliableprimary identifiers if they yield unique patterns in combination.

Secondary identifiers are nonphysiological traits such as voice, gait, and handwriting.23

Behavioral traits are less reliable than primary identifiers for two reasons. First, individuals canconsciously modify behavioral traits without the substantial deterrent of surgery or traumarequired to alter primary identifiers. Second, measurement of any primary identifier requires the

17

International Biometric Group,How is 'Biometrics' Defined?

<http://www.ibgweb.com/reports/public/reports/biometric_definition.html> (accessed 25 Oct. 2002) ("IBG,How isBiometrics Defined?"). The International Biometric Group describes itself as a "consulting and technology servicesfirm

[which] has providedtechnology-neutral and vendor-independent biometric services and solutions to financialinstitutions, government agencies, systems integrators, and high-tech firms

The two most important examples are faceprints and retinas. I explain the details in section C.

23

IBG,How is Biometrics Defined?. Handwriting as a biometric identifier includes the use of signatures.See

PartV,infra, page37

at note196and accompanying, text for further discussion of signature matching as a biometricidentifier.

II. Biometric Technology

Page6

physical presence of the individual, whereas some secondary identifiers may be recorded longbefore measurement.24

Several companies have developed equipment that can distinguishbetween an actual live scan of a primary identifier and a scan from a photograph or video.25

Good anti-circumvention protections do not

yet exist for secondary identifiers—

distinguishinga live voice from a pre-recorded voice is simply a harder problem.

The following physical features are the major primary identifiers being used in orconsidered for biometric applications in banking.

1.

Fingerprints

Fingerprints are the most widely used biometric identifier; police forces have used themfor decades.26

Before proceeding, the reader should beware of the confusing terminology in thisarea. As used in this paper, "fingerprint" (as a singleword) refers to the unique patterns thatexist on the underside of every human finger. Although unique patterns exist along the entirelength of the finger and extend onto the palm of the hand, the portion of the fingerprint mostcommonly used in biometrics is that on the pad of the finger—

the area on the underside of thefinger below the distal joint, opposite the fingernail. "Finger printing" (two words) refers to animpression or image of a fingerprint—

usually impressed on paper with ink when createdintentionally or in oil or dirt on a rigid any rigid surface when created unintentionally. "Fingerscanning" is the process of capturing an image of a fingerprint with a digital sensor for use as abiometric identifier.

The "ridge patterns" of a fingerprint, including arches, loops, and whorls,form "three-dimensional contours and microscopic blemishes

that are unique to each person."27

As explainedin detail in the next section of this paper, a fingerprint template does not comprise an image ofthe entire fingerprints; it comprises only a binary data set that describes the unique aspects of theprint—

the location, size, and contours of various unique elements. Fixed before birth, thesefeatures do not change during a person's life under normal conditions.28

Unique fingerprintfeatures will even grow back after trauma with sufficient identicality to permit identification witha high degree of confidence. The gangster John Dillinger famously paid a surgeon $5,000 to"burn off his fingerprints with acid."29

Unfortunately for Dillinger, his fingerprints grew backinto the same pattern they had before; and he was later caught, due in part to fingerprintimpressions he inadvertently left at the scene of a crime.30

Four methods can capture finger prints for biometric use. First, law enforcementagencies have used ink and paper systems for decades.31

Ink and paper impressions have severaldisadvantages: messiness, bulkiness of paper cards for long term storage, and imperfections inscanning for digital comparison with live data. Second, optical sensors can capture visualimages of the fingerprint; these generally use charged coupling devices (CCD) similar to those infamiliar desktop scanners. Third, capacitance sensors use semiconductors to measure variationsin electrical capacitance across the finger, from which they infer the fingerprint's features.32

Thedurability of silicon and other semiconducting materials relative to the glass used in optical

Fourth, ultrasound sensors are the newest and most promisingtechnology.34

These sensors

measure tiny differences in the transmission of sound wavesthrough the finger and the reflection of sound waves off the fingerprint.35

Ultrasound technologyalleviatesthe common problem

of

dirt, oil, and other foreign substances obscuringsensor.36

Finally, composite sensors combine two or more of these techniques.37

2. Faceprints

While biometric identification in public areas remains limited, faceprints are the mostcommon identifier used in such programs.38

Photographs or video frames captured at significantdistances from the subject can yield a usable faceprint template—

in contrast to most otherbiometric identifiers, which require close proximity or physical contact for an adequatemeasurement. Trauma, disease, deliberate medical alteration, and even changing facialexpressions can change the appearance of facial features enough to fool a faceprint system.Features especially susceptible to alteration include lip size and shape, skin color, nose shape,and tooth alignment. Therefore, biometric systems use the features least susceptible toalteration: the "outlines of the eye sockets, the areas surrounding one's cheekbones, and the sidesof the mouth."39

No facial feature can uniquely identify an individual, but using several in combinationcan provide a highly unique identifier; the face contains about 80 "nodal points" that biometric

Combination techniques include measuring the distances between featuresor the ratio of their circumferences. Software measures these features inphotographsor videoframes andcreates

abinarytemplate

from those measurements.41

Researchers at MIT inventedthe current state of the art—

the "Eigenface technique"—

for creating faceprint templates in2000.42

This technique involves combining many two dimensional grayscale images to form asingle three dimensional data set that describes the entire face.43

While the technique requiressuch detailed information to create the most accurate template, a single "mug shot" can suffice.44

As for live data, "a straight-ahead video image from a distance of three feet [yields] themost accurate" identification, but

clear images collected from any distance can suffice.45

Amatching technique called "feature analysis" can accommodate images of the face captured at"angles up to approximately 25° in the horizontal plane, and approximately 15° in the verticalplane."46

This technique compares the relationships between many different facial features andaccommodates the widest range of facial expressions, hairstyles, and other factors that wouldotherwise frustrate matching.47

Facial scanning works faster but less accurately than most other methods of biometricidentification.48

Consequently, it is usually a "first line of defense" whose results merely limitthe number of candidate templates that slower but more accurate techniques will consider.

Practical constraints limitthe size of the template database to several hundred thousand faces.50

This may suffice forsecurity applications that seek only specified individuals (such as known terrorists at an airportsecurity checkpoint) but it is inadequate for banks with millions of customers. For suchcommercial applications, template storage on a wallet card may be the most practical option.

3. Eyes

Two parts of the eye, the retina and iris, are the two most uniquely identifying biometricindicia in the human body.51

Retinas contain twenty times the number of unique identifyingpoints as fingerprints, and irises contain as many as ten times that number.52

Ironically,however, eye scanning also presents moreprivacy concerns than any other biometric indicia.The following discussion of the physiology of the eye and the mechanics of data capture for eyescanning highlights these problems.

a. Retinas

The retina is "the sensory membrane that lines the eye,

…composed of several layersincluding one containing the rods and cones, and[it]functions as the immediate instrument of

49

Id.

50

Id.

51

Id.

52

Id.

II. Biometric Technology

Page11

vision by receiving the image formed by the lens and converting it into chemical and nervoussignals which reach the brain by way of the optic nerve."53

"The retina, a thin nerve (1/50th ofan inch) on the back of the eye, is the part of the eye which senses light and transmits impulsesthrough the optic nerve to the brain—

the equivalent of film in a camera.

Blood vessels used forbiometric identification are located along the neural retina, the outermost of retina's four celllayers."54

The branching network of the blood vessels embedded in the retina make up itsbiometrically useful characteristics; no individual point is unique, butthe vessels' turning pointsand end points make up a highly unique identifier in combination.55

Overall, the retina providesthe highest number of unique identifying points of any primary biometric identifier.56

Counterintuitively, retina templates are among the smallest in terms of the number of bitsrequired to uniquely describe an individual retina.57

Data capture for retinal biometrics requires placing the eye within three inches of acamera for approximately one minute.58

Already, this close proximity of a foreign object to oneof the body's most sensitive organs for such a long time can induce some discomfort. A lightsource behind the camera shines into the eye, and green light to reflects off the retina, backtoward the camera.59

The bright intensity

of this light can cause additional discomfort during theprocedure, especially considering the duration that the user must keep his eyes open. The bloodvessels constituting the biometric lie just beneath surface of the retina, producing variations in its

The camera records the variations in the intensity oflight reflected back to it from the retina, and computer software infers a "map" of blood vesselsfrom these data. The software then translates this "map" into the binary data of the biometrictemplate describing the unique combinations of points in the retina's blood vessels.

The biology of the eye presents three special privacy problems for retina scanning. First,as already mentioned, the discomfort caused by the proximity of the camera to the eye, theunnaturally bright light shining directly into the eye, and the duration of the data captureprocedure all imply a violation of personal privacy. Informed consent may solve the formalprivacy problem, but it cannot assuage the underlying discomfort. Second, the retina's pattern ofblood vessels can change over time, introducing a complication not present in most otherbiometric indicia.61

Certain diseases and traumas to the eye or head can alter their layout.62

However, the risk of deliberate alteration is generally considered small because few peoplewould want to risk losing eyesight.63

Moreover, retinal blood vessels grow until the end ofadolescence, rendering retina scanning useless for children. Third, some diseases and traumascan cause changes in other parts of the eye that block measurement of the retina.64

Thus, adisease or trauma may render the retina useless for biometric identification even withoutaffecting the retina. The scanning equipmentnecessarily can detect some of these medicalconditions—

either through deliberate misuse or by unintentional deduction from aberrantscanning results. The user may never know if the program operator discovers medically relevantinformation, let alone what the operator does with that information—

whether he stores it,

60

Id.

61

Rosenberg

62

IBG,Retina Scan Technology

63

Rosenberg. Note especially the low risk of an individual deliberately altering the layout of his retinal bloodvessels vis-à-vis the risk of deliberate alteration of the rest of the face. Plastic surgery on the face is increasinglycommon, especially among affluent Americans, but eye surgery remains relatively rare.

64

IBG,Retina Scan Technology

II. Biometric Technology

Page13

discloses it to others, or alerts the user to the problem. This potential for medical diagnosismight conceivably render biometric program operators subject to theHealth InsurancePortability and Accountability Act of 1996

(HIPPA),65

which,inter alia, establishes privacyprotections for patients vis-à-vis healthcare service providers. However, the statute and theregulations promulgated thereunder limit its applicability to "covered entities"—

health plans,health care clearinghouses, and "health care provider[s] who transmit[] any health information inelectronic form in connection with a transaction covered" by the regulations.66

Congressintended HIPPA to cover entities whose primary business is healthcare, and its enforcement thusfar has been consistent with this intent.67

Therefore, theaccidental

discovery of medicalinformation by a biometric program operator would not likely bring it within HIPPA. Deliberatemisuse of biometric equipment, however, would make a court far less sympathetic to theprogram operator.

b. Irises

The iris is "the opaque contractile diaphragm perforated by the pupil and forming thecolored portion of the eye."68

"[L]ocated behind the cornea and the aqueoushumour, but in frontof the lens[, the iris]is the only internal organ of the body that is normally visible externally."69

The iris's distinctive characteristics lie in the trabecular meshwork

—

a web fibrous tissue thatfixes permanently by the eight month of gestation and remains stable throughout a person's life.70

This meshwork "gives the appearance of dividing the iris in a radial fashion.

In contrast to the retina, whichdevelops naturally for years after birth and may change later still due to disease or trauma, theiris never changes.72

"There is a popular belief that the iris systematically reflects one's health orpersonality, and even that its detailed features reveal the state of individual organs ('iridology'),but such claims have been discredited as medical fraud."73

Although the retina has more individual points for identification than the iris, retinalidentification requires analysis of the configuration of many points in combination, and the retinayields fewer identifying combinations than the number of individually unique points in the iris.The retina's potential to change over time further diminishes its usefulness, so the iris is the mostuniquely identifying tissue now known in the human body.74

"In the entire human population, notwo irises are alike in their mathematical detail—

an individual's right and left irises aredifferent; even identical twins have different irises. The probability that twoirises could producethe sameIrisCode®is about 1 in 1048

Iris scanning technology avoids implicating some, but not all, of the privacy issues thathinder retina scanning. For example, the iris' natural exposure to the outside world permits acamera to capture images of it from a distance, obviating the need for the close proximity of aretinal camera.79

A camera can detect the trabecular meshwork of an iris from three feet away.80

Moreover, this additional distance from the eye reduces the intensity of the light received by theeye, further reducing the discomfort inherent in the data capture procedure. However, irisscanning has an ambiguous effect on the risk of stealth collection of medical data by the programoperator. On one hand, the iris resides near the front of the eye, so fewer tissues lie between thecamera and the subject of the scan, thereby reducing the risk of incidental detection of themedical state of the surrounding tissues. On the other hand, iris scanning works best with visibleand near-infrared light—

the same wavelengths of light recommended by theAmericanAcademy of Ophthalmology

for the diagnosis and study of conditions such as macular cysts.81

The use wavelengths commonly used in medical procedures can only increase the potential forillicit diagnosis.

B. Biometric Applications: Identification and Authentication

The two major biometric applications are "identification" and "authentication." Abiometric "program" refers to a particular system or process that seeks to identify or authenticateindividuals by comparing a "live" scan of their biometric indicia against existing "biometrictemplates"—

data derived from previous biometric scans.82

Identification, or "one-to-many,"programs seek to identify specified individuals within a larger population by comparing each

79

IBG,Iris-Scan

80

Id.

81

Id.

82

A detailed discussion of the capture, storage, and use of biometric templates must wait until the next section.See

part II.C.,infra, page17.

II. Biometric Technology

Page16

person's biometric indicia to templates stored in a database.83

For example, airport securitypersonnel might compare the faceprint of each traveler to faceprint templates in a database ofknown terrorists. At the 2001 Super Bowl, law enforcement agencies used a facial recognitionsystem, purportedly to identify terrorists and felons in the audience.84

A biometric-enabledautomated teller machine (ATM) might identify customers by comparing live biometric scans totemplates of the bank's customers. If it finds a match, the ATM would permit access to thatcustomer's account; otherwise, it would deny access to any accounts.

Authentication programs, also called "one-to-one" or "verification" programs, seek toverify or refute that an individual is who he claims.85

Such programs compare live data to onlyone template, not to an entire database.86

For

example, a biometric-enabled ATM might first aska customer to identify himself, then compare his live biometric scan only to that customer's owntemplate; the program need not test the live scan against any other templates. Controlling accessto joint accounts present a hybrid scenario, where the user claims to be one of two or moreauthorized users of a particular account.87

Counterintuitively, authentication programs do notrequire a database of templates: the person seeking authentication may supply the templateagainst which to compare his body. While a biometric-enabled ATM could retrieve eachtemplate from a central database via the same electronic communication lines through which itretrieves account information, it could equally read a biometric

template encoded on a magneticstrip or bar code on the customer's ATM card. The bank would simply encode the template onthe card when the customer enrolls in the biometric program.

In this case, the program is still an authentication program if it first asks the user to identify himself to narrow thefield of templates against which it will compare his live scan.

II. Biometric Technology

Page17

C. Data Capture, Storage and Use

To participate in a biometric program,

a user must first enroll, "a process where multiplemeasurements of the particular biometric indicia are made, in order to establish a baseline forfuture comparison."88

Computer software creates a set of binary data called a "template" thatdescribes the

unique aspects of the biometric identifier.89

At the time of authentication oridentification, an input device will capture a "live" image of the identifier, create a new set ofbinary data describing its unique aspects, and compare this "live" data to the stored template.90

Contrary to popular misconception, biometric systems do not directly compare images ofbiometric indicia, and they rarely store raw images for longer than required to generate atemplate. Despite the difficulty of converting images into templates,91

this conversion has threecompelling advantages over using and storing "raw" image data. First, electronic computersprocess information in binary code, so the creation of a binary template during enrollmentremoves the need to extract the appropriate information from the raw image during matching,when speed matters most.92

Second, a template includes only the information useful foridentification and disregards the extraneous information in the image.93

This permits thetemplate to occupy a

smaller binary "size" than the original image—

reducing the cost of storagemedia, bandwidth required for transmission, and the time required for matching.94

One frame ofhigh quality video, for example, occupies approximately 300 kilobytes, but a faceprint template

characteristics such as the trabecular meshwork of the iris or the precise positioning and shapeof facial nodes into binary data "requires a degree in advanced mathematics"and

the aid of apowerful computer.IBG,Iris-Scan.

92

Rosenberg

93

Id.

94

See

Dye et al.

II. Biometric Technology

Page18

derived from many such frames will occupy only 1.3 kilobytes.95

Finally, the destruction of theraw image after generation of the template reduces the likelihood of abuse of the biometric data.The difficulty of reverse engineering an original image from a template affords some protectionto users in the event of illicit access to the data.96

Abuse of human-readable images presents agreater loss of privacy than illicit access to data strings that only specialized software caninterpret—

especially when the database would associate each image with additional privateinformation like addresses, Social Security numbers, and account numbers.

A biometric template, like any data set, can reside in many types of storage media.Common template storage media include magnetic or optical computer disks, such as hard drivesor compact discs, and magnetic strips or bar codes on wallet-size cards.97

A few applicationscompel a particular storage medium, but most permit some flexibility. One-to-many programsgenerally require a central database of templates,98

for no computer can compare templates frommany disparate sources in realtime. Accordingly, most identification programs store templateson computer disks, where comparison software can access them quickly. Authenticationprograms allow greater flexibility with respect to the storage medium. Users of authenticationsystems usually consent to and cooperate with them, obviating the need for realtime results: bankcustomers, for example, already tolerate delays of several seconds at ATMs duringauthentication based in personal identification numbers (PINs). Moreover, ATM users alreadycarry wallet cards equipped with magnetic strips that identify they to the machine, so encoding abiometric template onsuch cards would entail minimal retooling of the card manufacture and

95

Id.

96

The erasure of nonessential data and the proprietary algorithms applied to the images combine to make reverseengineering difficult—

and some would argue impossible.See

Dye et al. and Rosenberg.

97

The space efficiency of a bar code for storing data surprises many people. The most common two-dimensionalbar code symbology can store over one kilobyte (1,048 bits

of information) in an area about the size of a postagestamp. Azalea Software,The Barcode FAQ

(1999) <http://www.azalea.com/faq/> (accessed 4 Jan. 2003).

98

Rosenberg

II. Biometric Technology

Page19

issuance processes. The implications of a bank's choice between central template storage andstorage on wallet cards is discussed further in part V.

Once the input device captures a "live" image of a biometric identifier, computersoftware extracts the uniquely identifying information from that image and converts it to binarydata.99

Comparison software weighs the live data against the template and returns a single valueas a result—

positive or negative, indicating a match or not.100

The comparison software sendsthe result to a second software routine which performs whatever action the program operatorspecifies.101

Thus, the actions taken following a positive or negative result remain independentfrom the comparison and can be reprogrammed without altering the comparison software.

This division between the comparison and action routines permits standardization in thecomparison routines across programs and diversity in the actions takenafter acceptance orrejection of a match. In a surveillance program, the action software might play an audible alarmmessage after a positive result while simply ignoring negative results. In a secure accessprogram, the action software might unlock a door following a positive result but do nothing—

so the door remains locked—

after a negative result. In an ATM program, the action softwaremight display account balances or a list of commands following a positive result and prompt theuser to rescan his

biometric indicia upon receiving a negative result. In addition to any actionstaken in response to the result of any individual scan, the action software might take separationaction based on the aggregate rate of positive or negative results. For example, an ATM programmight trigger an audible alarm following a string of negative results in rapid succession.

99

Id.

This process essentially creates a new template that could be stored for futureuse.

100

Dye et al.

101

Id.

II. Biometric Technology

Page20

The data capture and comparison processes described above implicate several privacyconcerns. Users

rarely or neverhavedirectcontrol over the

program operator'suse ofthelivedata; the program operator could retain or otherwise misuse the live data or raw images withoutusers' consent. Even if users have consented to centralized template storage under the programoperator's control, the program operator might violate that consent by storing raw live images.He would certainly violate the consent of any users who consented to a biometric program thatstores templates on media in the users' direct control, such as wallet cards. Identificationprograms can implicate particularly acute privacy concerns because individuals may be whollyunawareof the

data capture, and they willhave no opportunity togrant or denyconsent.Forexample, law enforcement agencies already record video images of travelers in everyairport, andthey might convert those imagesintofaceprinttemplates for future use.The customary check-inat the terminal or gate provides an easy opportunity to identify the name and destination of eachperson captured on tape. Sucha practice would present obvious privacy problems:a person'sbodily traits would enteralong-liveddatabase withouthis

havingmanifestedconsent

in anyform.

Even voluntary programs suffer from problems relating to the storage and use of livedata. Bydefinition, users consent to voluntary programs, so they may have an opportunity toreview the operator's policy regarding the use and storage of live data. Informed consent can goa long way toward resolving privacy issues, but the users typically must rely on the operator'shonesty in adhering to the scope of the users' consent. Additionally, the operator of a voluntaryprogram must establish a policy for dealing with data captured from at least two types ofunauthorized users—

people who have not enrolled, and therefore have not consented, to theprogram. First, some unauthorized people will inadvertently enter areas monitored by a dataII. Biometric Technology

Page21

capture devices, especially where cameras monitor a public space or a wide area within a privatebuilding. Second,some unauthorized individuals will deliberately trigger the system for thepurpose of gaining unauthorized access to whatever the system guards. While this behavior mayconstitute a crime (such as attempted fraud), criminals have rights—

including the right toprivacy.

Even restricting our focus to people who consent to a biometric program does noteliminate the problems. Particular bodily features make good biometric identifiers because theynever (or rarely) change, but the software that compares livescans to templates must permitsome variation between scans to account for numerous intervening variables. Those variablesinclude different lighting conditions, background noise, new hairstyles, eyeglasses and contactlenses, movement by the user duringthe scan, and foreign substances on the data capturedevices. Even a single biometric program may require different levels of permissiveness indifferent locations. An outdoor ATM, for example, must contend with greater variations inlighting, temperature, and background noise than one residing indoors. Once the programoperator identifies the most likely sources of interference, he can tweak the comparison softwareto permit an appropriate level of variation—

The operator of a biometric program must optimizethe level of permissiveness to suit the requirements of his program and the demands of users.

A given level of permissiveness in biometric comparison software can have drasticallydifferent implications in different biometric programs. Consider these two examples: program Aseeks to identify terrorists at an airport security checkpoint, and program B authenticates bankcustomers at an ATM. In program A, a high level of permissiveness implies high levels of both

102

IBG,Retina Scan Technology

("Of course, there are many measures of accuracy in biometrics, and with 0.0001%[False Acceptance Rate], there will be an increased number of False Rejections.")

III. Historical Perspective on Biometrics

Page22

security aggravation among travelers because the permissive software will identify most realterrorists while wrongly flagging many innocent travelers as terrorists. Reducing permissivenessin program A's software would reduce both security and aggravation by allowing at someterrorists to pass undetected while wrongly flagging fewer innocent travelers. In program B,permissiveness in the comparison software has the opposite correlation with security

and useraggravation. Highly permissive software aggravates few ATM customers because it willproduce few false negatives that would prevent legitimate customers from accessing their ownaccounts, but it also permits many unauthorized people to access accounts illegitimately. Lowpermissiveness in program B implies high security because it will prevent most illicit attempts toaccess accounts, but it will simultaneously aggravate more customers with false negatives.

III. Historical Perspective on Biometrics

Biometric technology has generated warnings of hubris, fire, and brimstone but littlefrank discussion of the problems it presents. Proponents invoke popular bogeymen like terrorismand identify theft, and they portray biometrics as a magic bullet. "Today," writes Identix Corp.,"banks and brokerage houses find themselves vulnerable to theft, from both internal and externalsources, a fast-growing, alarming number of identity fraud cases and a whole host of othersecurity risks as well as privacy issues posed by providing services over the internet."103

Fortunately, Identix and its brethren offer a product for every bugbear at low prices, of course,and requiring minimal disruption of business as usual.104

Governments and private companieslaunch new biometric programs at an ever-increasing rate—

and not just in such obvious fieldsas law enforcement and ATM security. Even welfare administration has gotten fifteen minutes

Before long, the public's pervasive exposure of biometricswill diminishthe technology's novelty, and our society will have lost its only opportunity for frank discussionof the technology's moral and ethical problems. This fate has plagued many technologies thatlean as heavily on information as biometrics. Once any technology gains economic importancebefore it gains general public awareness, the public stands little chance of stopping its adoption,moral and ethical problems notwithstanding. The telegraph—

the foundational moderninformation technology—

provides the clearest example of this phenomenon.

In 1840, the United States Patent & Trademark Office (PTO) granted Samuel FinleyBreese Morse a patent for the first practical telegraphy machine.106

Morse lacked sufficientpersonal wealth to finance a dramatic exhibition of his device, so he sought private and publicfunds to demonstrate it. The private sector met early versions of the telegraph "with animmediate and overwhelming lack of interest."107

Congress likewise hesitated to appropriatefunds for thetelegraph.108

Three years later, when Morse proposed a bill to allocate $30,000 fora public demonstration, several Congressmen openly ridiculed it, "and they proposed manyamendments to the bill to show their scorn."109

These facetious amendments would have

diverted half the money toward research of mesmerism,animal magnetism, and other mysticalarts that were equally considered nonsense.110

They ignorantly "explained" that Morse claimedto communicate via lightning, the only source of electricity they understood.111

However,Congress did finally give Morse his money.

105

See

supra, page4, notes4

and5

and accompanying text.

106

U.P. No. 1,647 (issued 20 June 1840) ("Telegraph patent")

107

Kenneth W. Dobyns,History of the United States Patent Office, 118 (Sergeant Kirkland's Press

To them, the telegraph represented an arrogantinfringement on god's lightning. As a painter and professor of literature,113

Morse was acutelyaware of the implications of his electrical telegraph for the humanities, and he planned hispublicly funded demonstration with these concerns in mind. In 1844, Morse strung a telegraphwire along the fifty miles of railroad track from Baltimore, where the Democratic party wouldsoon hold its Presidential nominating convention, to Washington, D.C., where he would reportthe party's nomination long before conventional messages arrived. Despite the publiccontroversy and ridicule, only 16 people gathered on the appointed day in the Supreme Courtchamber of the Capitol, where the inventor had erected his apparatus.114

Morse gave the honorof transmitting the first signal toAnnie Goodrich Ellsworth, the daughter of the Commissioner ofPatents, whose family had supported Morse for years.115

In a slight dig at her friend's detractors,Ellsworth began her ceremonial first signal with a Bible verse, "What hath god wrought!"116

From theMount Clare

depot in Baltimore, Morse's friend Alfred Vail then informed the group inthe Capitol that the Democrats had nominated James K. Polk five minutes earlier.117

Messengersrelying on the previous state of the art—

horses and paper—

verified the result nearly a full daylater.

112

King James Bible, Job 38:35

113

Dobyns, 119

114

Id.

at

120

115

Id.

116

King James Bible, Numbers 23:23

117

Dobyns, 120;see also

Tom Standage,The Victorian Internet

(Walker & Co. 1998)

III. Historical Perspective on Biometrics

Page25

Despite the public feud between the moralists, theologians, and the inventor, only onenewspaper covered Morse's demonstration; and thepublic barely noticed it.118

This indifferencewould not last long, however, as the technology's economic value soon overwhelmed any moralmisgivings.119

The business community recognized the telegraph's potential almost as instantlyas the device's transmission of information. One contemporary observer wrote about the fadingvoice of moral fears inScientific American, "The steed called Lightning (say the Fates) / Wastamed in the United States / 'Twas Franklin's hand that caught the horse / 'Twas harnessed

byProfessor Morse."120

By 1850, a new communications industry had strung more than 12,000miles of telegraph wire;121

five years later, networks of telegraph cables crisscrossed thenation;122

and the first transatlantic cable began service in 1865.123

Duringthis period, the acutemilitary need for instant communication during the Mexican and Civil Wars made the U.S.government the largest consumer of telegraph services.124

In the two decades following Morse'sdemonstration, society stopped askingwhether

it should use the telegraph and began to askhowsoon

telegraph networks could expand to meet its needs.

Today, the cutting edge of information technology is biometrics, and the recent wave ofadoption bears striking resemblance to the telegraph's early years.

A few people today speak outagainst biometrics as those early Congressmen and clergymen did against Morse's telegraph in1843.Pat Robertson, founder of the Christian Coalition, warns that biometrics implies themark of the beast.

While paying lip service to their concerns, thebiometrics industry has never invited such groups as the Christian Coalition and the EFF forfrank discussion of their products' implications. Just as in Morse's day, the public has begun toconsume a new technology before the requisite dialog on its morality.

The telegraph grew entrenched before the 19th century public could fully grasp it, and thecurrent explosion of biometric products has caught the 20th century public similarly off guard.The first modern biometric programs appeared the 1980s, when minicomputers became widelyavailable. By 2000, dozens of companies and governments had

enrolled tens of thousands ofpeople in biometric programs.127

The war on terrorism declared after September 11, 2001 hasaccelerated the growth of biometrics in the same way that the Mexican and Civil Wars spurredthe growth of the telegraph. This growth

of biometrics also piggybacks on the rise of computingtechnology. Although the science and mathematics underlying most biometrics have existed forover 70 years,128

exploitation of that knowledge had to wait for the electronic computer.129

Alphonse Bertillion, the son of an anthropologist and chief of the Paris police, compiledthe first government database of criminals' physical characteristics in the 1880s.130

Bertillionmeasured

bodyheight, finger length, head circumference, distance between the eyes, and

non-unique features of convicted criminals and used these data in combination to identify repeatoffenders.131

This remained the state of the art untilthe early 20th century, when fingerprintingbecame widespread.132

By the 1930s, research suggestedthe identifying properties of theretina.133

However, the discoverers of these properties could not compare a biometric feature toa template fast enough to make the technology practical in most situations.134

Biometrics faced almost no resistance during this

era, before computers enabledwidespread use.135

The recent coupling of biometrics and computers has created possibilitiesbeyond AlphonseBertillion's wildest dreams—

while reducing the economic cost of biometricsto the point where most of our society can realistically afford to participate. Bertillion probablynever envisioned identifying ordinary people with fingerprints for such routine transactions asbuying food at a grocery store or withdrawing cash from a bank. The fast rise of computers hasenabled biometric programs that we have scarcely begun to contemplate. Theologians, civillibertarians, and others have just begun to explore the moral and ethical implications ofbiometrics. Biometrics' benefits resemble those of the telegraph: efficiency,

speed, andconvenience, to name a few. Today we have the benefit of hindsight that clearly shows thetelegraph's opponents drowning in its economic wake after the Civil War. Biometrics has grownwith similar speed and shows signs of an impending growthspurt. Soon, it may seem as difficultto remove biometrics from the routine of daily life as it seems to us to remove the telegraph andits successors like the telephone and the Internet. If we do not address the privacy issuesinherent in biometrics very soon, we will lose the opportunity forever.

131

Garfinkel

132

Id.

133

IBG,Retina Scan Technology

134

The important exception is fingerprinting for law enforcement purposes, where officers could comparefingerprints left at a crime scene to templates in a database at their leisure, over the course of an investigation.

135

It is noteworthy that early biometric programs were limited to law enforcement. I suspect that these incurred nowidespread opposition because convicted criminals have never had effective advocates in high places.

IV. Privacy Law and Consumer Banking

Page28

IV. Privacy Law and Consumer Banking

In 1890,LouisBrandeis andSamuel Warrenwrote the foundational paper on privacy inAmerica.136

At that time, no federal statute specifically addressed privacy, so the authors arguedthat the common law and the Constitution must recognize a right to privacy. Although historycredits them with characterizing privacy as the "right to be let alone,"137

Thomas Cooley hadcoined this phrase two years earlier in his treatise.138

Today, several statutes specifically addressprivacy, but no privacy law specifically addresses biometrics.139

However, we can take a lessonfrom Brandeis and Warren and reason by analogy from existing statutes and caselaw to deducehow modern privacy law willregard biometrics. As the scope of this paper is limited toconsumer banking, this discussion of privacy law will be limited to the common law, statutes,and regulations that apply to commercial banks that serve consumers.

A. Privacy at Common Law

The lay

conception of privacy comes from the causes of action recognized at commonlaw. The common law has traditionally recognized "the right to be free from the unwarrantedappropriation or exploitation of one's personality, the publicizing of one's private affairs withwhich the public has no legitimate concern, or the wrongful intrusion into one's private activities,in such manner as to outrage or cause mental suffering, shame, or humiliation to a person ofordinary sensibilities."140

Different courts have characterized the right of privacy in differentways, but they all share certain core elements, which William Prosser summarizes "as the right tobe let alone, to be free from unwarranted publicity, to live a life of seclusion, and to live without

unwarranted interference by the public in matters with which the public is not necessarilyconcerned."141

Professor Prosser lists the fundamental privacy torts as"Intrusion upon theplaintiff's seclusion or solitude, or into his private affairs;Public disclosure of

embarrassingprivate facts about the plaintiff;Publicity which places the plaintiff in a false light on the publiceye;[and] Appropriation, for the defendant's advantage of the plaintiff's name or likeness."142

B. Constitutional Foundations of Privacy

Some scholars have argued and some Supreme Court Justices have held that the UnitedStates Constitution establishes a right to privacy.143

The Constitution does not expresslyenumerate a right to privacy, but it has long been considered a corollary to core constitutionalliberties.144

A majority of the Supreme Court first recognized a constitutional basis for the rightto privacy in 1965, when Justice Douglas wrote inGriswold v. Connecticut

145

that privacy is anunenumerated constitutional right. The "specificguarantees in the Bill of Rights havepenumbras, formed by emanations from those guarantees that help give them life and substance,"and one penumbra "create[s]

zones of privacy" guaranteed by the Constitution.146

Thispenumbra emanates from the specific guarantees of the First, Third, Fourth, Fifth, and Ninth

141

William L. Prosser,Privacy, 48 Cal. L. Rev. 383, 389 (1960)

("Prosser")

142

Id.

143

See e.g.,

Griswold v. Connecticut, 381 U.S. 479 (1965)

("Griswold");Roe v. Wade, 410 U.S. 113 (1973);W.Page Keeton et al.,Prosser and Keeton on the Law of Torts

Olmstead v. U.S., 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting) ("The makers of our Constitution…sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations.

They conferred, asagainst theGovernment, the right to be let alone—

the most comprehensive of rights and the right most valued bycivilized men.");Griswold, 381 U.S.at

494 (Goldberg, J., concurring) ("[T]he right of privacy is a fundamentalpersonal right, emanating 'from the totality of the constitutional scheme under which we live."'(quotingPoe v.Ullman, 367 U.S. 497, 521 (1961) (Douglas, J., dissenting)))

145

381 U.S. 479 (1965)

146

Id.

at

484

IV. Privacy Law and Consumer Banking

Page30

Amendments.147

However, the U.S. Constitution protects individual privacy rights only againstunreasonable intrusions by the government, not against intrusions by private entities.148

The Supreme Court implied the existence of "a right to information privacy"149

inWhalenv. Roe

150

—

even while it sustained the constitutionality of a state statute requiring the collectionof the names of all persons taking certain prescription drugs. The Court noted the potential"threat to privacy implicit in the accumulation of vast amounts of personal information incomputerized data banks or other massive government files."151

However, the Court applied thelowest level of constitutional scrutiny, the so-called "rational basis test," and upheld the law asrationally related to the legitimate governmental interest in preventing illegal distribution ofdrugs.152

Finally, some state constitutions establish a right of privacy for those states' citizens.153

However, just as with the federal Constitution, most of these state provisions protect citizensonly against governmental intrusion upon their privacy.154

Only Hawaii's constitution protectscitizens' privacy against intrusion by private entities.155

Haw. Const. art. I, § 6;McCloskey v. Honolulu Police Dept.,799 P.2d 953, 956 ("Privacy as used in this senseconcerns the possible abuses in the use of highly personal and intimate information in the hands of governmentorprivate parties" (emphasis added));see also

McGuire at 465

IV. Privacy Law and Consumer Banking

Page31

C. Banking-Specific Privacy Laws

1. Background Federal Statutes

Several federal statutes and many state statutes deal specifically with privacy. "Becausefederal legislative jurisdiction for commercial information processing activities is drawnprincipally from the[Commerce Clause], federal law tends to be adopted on a narrow sectoralbasis."156

In keeping with the scope of this paper, I will limit my discussion to the statutesapplicable to commercial banks that serve consumers. Even in this narrow slice of the economy,where Congressacts frequently, there is no comprehensive system of privacy applicable tobanks.157

Instead, Congress tends to enactad hoc

legislation in this area, addressing specificprivacy problems as they arise.158

The "financial services sector has perhaps the greatest varietyof applicable legislation that does not systematically address privacy concerns."159

They reasoned that"[o]f all the rights of the citizen, few are of greater importance ormore essential to his peace and happiness than the right of personal security, and that involves,not merely protection of his person from assault, but exemption of his private affairs, books, andpapers from the inspection and scrutiny of others.

Without the enjoyment of this right, all otherrights

would lose half their value."166

Most banking-specific privacy laws expressly apply to only "financial" information, but;at least since the 1960s, many courts have interpreted banks' duty to maintain the customer'sprivacy quite broadly,167

often covering even the fact that the customer is a customer.168

Today,"a bank depositor…has a right to expect that a bank will, to the extent permitted by law, treat asconfidential, all information regarding his account and any transaction relating thereto.

Accordingly, …absent compulsion by law, a bank may not make any disclosures concerning adepositor's account without the express or implied consent of depositor."169

In addition, thecommon law of contracts has developed a privacy component in light of modern privacy statutesand regulations.170

Many jurisdictions today consider it "an implied term of the contract betweena banker and his customer that the banker will not divulge to third persons without consent of thecustomer, express or implied, either the state of the customer's account, or any of his transactionswith the bank, or any information relating to the customer acquired through the keeping of his